hirondelle.web4j.security
Class SuppressUnwantedSessions

Using this filter means that browsers must have cookies enabled.
Some users believe that disabling cookies protects them. For web applications,
this seems unadvisable since its replacement -- URL rewriting -- has a
much higher security risk. URL rewriting is dangerous since it is a vector for
session hijacking and session fixation.

This class can be used only when form-based login is used.
When form-based login is used, the generation of the initial JSESSIONID
cookie is done only once per session, by the container. This filter helps you enforce the
policy that form-based login should be the only time a session cookie
is generated.

Superfluous sessions and session ids represent a security risk.
Here, the following approach is taken:

during form-based login, the container sends a session cookie to the browser

at no other time does the web application itself send a JSESSIONID, either in a
cookie or in a rewritten URL

upon logoff, the web application instructs the browser to delete the JSESSIONID cookie

Note how the container and the web application work together to manage the JSESSIONID cookie.

It's unfortunate that the Servlet API and Java Server Pages make it
a bit too easy to create new sessions. To circumvent that, this filter uses
custom wrappers for the underlying HTTP request and response.
These wrappers alter the implementations of the following methods related to creating sessions :

Calls to the getSession methods are in effect all coerced to getSession(false).Since this doesn't affect the form-based login mechanism, the user will
still receive a JSESSIONID cookie during form-based login. This policy ensures that your code
cannot mistakenly create a superfluous session.

The encodeXXX methods are no-operations, and simply return the given String unchanged.
This policy in effect disables URL rewriting. URL rewriting is a security risk since it allows
session ids to appear in simple links, which are subject to session hijacking.

As a convenience, this class will also detect sessions that do not have a user login,
and will log such occurrences as a warning.